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to said at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet 
filtering machine and each of said zone nodes correspond to a partitioned collection of said 
addresses created by said at least one gateway; 

receiving a query inquiring whether one or more given services are permitted between 
5 at least one source address and at least one destination address; and 

evaluating said query against each of said rules associated with each gateway node in 
said gateway-zone graph that is encountered between said at least one source address and said at least 
. one destination address. 

t 

10 2. (Unamended) The method of claim 1 , wherein said rules are expressed as rule-base 

objects. 

3. (Unamended) The method of claim 1, wherein said gateway-zone graph is derived 
from a network topology file. 

15 

4. (Unamended) The method of claim 1 , wherein said query includes a wildcard for at 
least one of said service, source address or destination address. 

5. (Unamended) The method of claim 1, further comprising the step of determining a 
20 portion of said one or more given services that are permitted between at least one source address and 

at least one destination address. 

6. (Unamended) The method of claim 1, further comprising the step of transforming 
said packet filtering configuration files into a table of logical rules that are processed during said 

25 evaluating step. 

7. (Unamended) The method of claim 1, wherein said query consists of a source host- 
group, a destination host-group, and a service host-group. 
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8. (Unamended) The method of claim 1, wherein said query specifies a location where 
packets are to be inserted into the network that is different from a source address. 

5 9. (Amended) A method of modeling a network having a plurality of gateway devices, 

comprising the steps of: 

identifying each gateway device in said network having a packet-filtering rule-base 
L and each zone in said network defined by said gateway devices; and 

generating a gateway-zone graph that models said network based on said packet- 
10 filtering rule-base, said gateway-zone graph having a gateway node corresponding to each of said 
gateway devices and a zone node corresponding to each of said zones. 

10. (Unamended) The method of claim 9, wherein said gateway-zone graph is derived 
from a network topology file. 

15 

1 1 . (Unamended) The method of claim 9, further comprising the step of transforming 
said packet-filtering rule-base into a table of logical rules. 

12. (Amended) An apparatus for analyzing at least one gateway in a network, said at 
20 least one gateway having a packet filtering configuration file including a plurality of packet filtering 

rules, said network having a plurality of addresses, said tool comprising: 

a user interface for receiving a query inquiring whether one or more given services are 
permitted between at least one source address and at least one destination address, wherein each of 
said source addresses and said destination addresses correspond to one of said zones; and 
25 a user interface for indicating a portion of said one or more given services that are 

permitted between a portion of said at least one source address and a portion of said at least one 
destination address, said portions obtained by analyzing a gateway-zone graph that models said 
network based on said packet filtering configuration file with at least one gateway node 
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corresponding to said at least one gateway and at least two zone nodes, wherein each of said zone 
nodes correspond to a partitioned collection of said addresses created by said at least one gateway. 

13. (Unamended) The method of claim 12, wherein said rules are expressed as rule- 

5 base objects 

14. (Unamended) The method of claim 12, wherein said gateway-zone graph is 
derived from a network topology file. 



16. (Unamended) The method of claim 12, wherein said packet filtering configuration 
files are expressed as a set of logical rules. 



17. (Unamended) The method of claim 12, wherein said query consists of a source 
host-group, a destination host-group, and a service host-group. 

18. (Unamended) The method of claim 12, wherein said user interface allows a user 
20 to specify a location where packets are to be inserted into the network that is different from a source 

address. 

19. (Amended) An apparatus for analyzing at least one gateway in a network, said at 
least one gateway having a packet filtering configuration file including a pluraUty of rules, said 

25 network having a plurality of addresses, said tool comprising: 

a memory for storing computer readable code; and 

a processor operatively coupled to said memory, said processor configured to: 
generate a gateway-zone graph that models said network based on said packet filtering 




15. (Unamended) The method of claim 12, wherein said query includes a wildcard for 



at least one of said service, source address or destination address. 



15 
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configuration file, said gateway-zone graph having at least one gateway node corresponding to said 
at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet 
filtering machine and each of said zone nodes correspond to a partitioned collection of said 
addresses created by said at least one gateway; 
5 receive a query inquiring whether one or more given services are permitted between at 

least one source address and at least one destination address; and 

evaluate said query against each of said rules associated with each gateway node in 
said gateway-zone graph that is encountered between said at least one source address and said at least 
one destination address. 
10 

20. (Unamended) The tool of claim 19, wherein said rules are expressed as rule-base 

objects 

21. (Unamended) The tool of claim 19, wherein said gateway-zone graph is derived 
15 from a network topology file. 

22. (Unamended) The tool of claim 19, wherein said query includes a wildcard for at 
least one of said service, source address or destination address. 

20 23. (Unamended) The tool of claim 19, further comprising the step of determining a 

portion of said one or more given services that are permitted between at least one source address and 
at least one destination address. 

24. (Unamended) The tool of claim 19, further comprising the step of transforming 
25 said packet filtering configuration files into a table of logical rules that are processed during said 

evaluating step. 

25. (Unamended) The tool of claim 19, wherein said query consists of a source host- 
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group, a destination host-group, and a service host-group. 



26. (Unamended) The tool of claim 19, wherein said query specifies a location where 
packets are to be inserted into the network that is different from a source address. 

5 

27. (Amended) A computer readable medium having computer readable program 
code means embodied thereon, said computer readable program code means analyzing at least one 

(^it gateway in a network, said at least one gateway having a packet filtering configuration file including 
^1 a plurality of rules, said network having a plurality of addresses, said computer readable program 
10 code means comprising: 

a step to generate a gateway-zone graph that models said network based on said 
packet filtering configuration file, said gateway-zone graph having at least one gateway node 
corresponding to said at least one gateway and at least two zone nodes, wherein said at least one 
gateway is a packet filtering machine and each of said zone nodes correspond to a partitioned 
15 collection of said addresses created by said at least one gateway; 

a step to receive a query inquiring whether one or more given services are permitted 
between at least one source address and at least one destination address; and 

a step to evaluate said query against each of said rules associated with each gateway 
node in said gateway-zone graph that is encountered between said at least one source address and 
20 said at least one destination address. 



28. (Amended) A system for modeling a network, comprising: 
a memory for storing computer readable code; and 

a processor operatively coupled to said memory, said processor configured to: 
25 identify each gateway device in said network having a packet-filtering rule-base and 

each zone in said network defined by said gateway devices; and 

generate a gateway-zone graph that models said network based on said packet- 
filtering rule-base, said gateway-zone graph having a gateway node corresponding to each of said 



6 



